Autharky · point-in-time analysis

Android push approval as optional 2FA

Can Autharky send an Android notification with Approve and Deny directly in the notification drawer—and can we avoid publishing an app?

Investigated 13 July 2026 · intended for a small personal/friends deployment

Where it fits in Autharky

Autharky already has the right server-side boundary. After password or brokered login, it checks for configured factors and blocks at stageNeedSecondFactor. Today TOTP and passkeys are alternatives.

The realistic options

Fast prototype

2. ntfy

The existing ntfy Android app can show arbitrary HTTP Approve/Deny actions. It is open source and self-hostable, so Autharky could publish a 60-second one-time callback without building an app.

Catch: this proves possession of a delivered bearer callback, not a device-held private key. The generic action also does not guarantee authenticated device unlock.

Private HTTPS, deny-by-default ACLs, per-user topics and one-time tokens reduce risk. They do not make it cryptographically device-bound MFA.

Poor fit

3. privacyIDEA

privacyIDEA has a mature signed push protocol and open-source authenticator. Enrollment creates a keypair; server challenges and phone responses are signed.

Its current app performs approval in an in-app dialog rather than offering the requested notification actions. It also introduces a second authentication server beside Autharky. Forking the large Flutter app is more machinery than a small dedicated client.

Middle ground

4. Installable PWA

Web Push and a service worker can show Android notification buttons with no app store and automatic updates.

Browser support is less uniform, and the web platform does not expose the same reliable device-unlock and hardware-backed signing controls as native Android. Useful for an experiment, not the preferred security boundary.

OptionDrawer actionsSelf-hostedSecurityBest use
Duo MobileYesNoStrong, matureFirst implementation
ntfyYesYesBearer-actionPersonal UX prototype
privacyIDEANot directlyYesStrongExisting privacyIDEA estate
Autharky appYesMostlyStrongest controlLong-term self-control

If we build the Autharky app

A small dedicated Android client is feasible. It should treat FCM only as a wake-up transport and make the device's cryptographic key—not the notification payload—the factor.

Enrollment

The authenticated Security page creates a short-lived, single-use enrollment QR.
The app generates a non-exportable P-256 signing key in Android Keystore.
The app sends its public key, device name, push token and enrollment proof to Autharky.
Autharky stores a tenant/user-scoped device. Removal revokes it immediately.

Authentication

After primary login, Autharky creates a random challenge bound to tenant, user, browser session, client, nonce and a 60–90 second expiry.
FCM delivers a high-priority signed challenge with no reusable credential.
The app verifies Autharky's signature and shows client, time/IP context and a short number also visible in the browser.
Approve and Deny are native notification actions. On Android 12+, Approve requires device authentication before execution.
The device signs its decision and posts it to Autharky.
Autharky verifies the enrolled public key and atomically changes pending to approved or denied. The original browser consumes approval once and records push in amr.

Non-negotiables: one outstanding challenge, resend cooldown, number matching, rate limits, audit events, device removal, token rotation, fallback factors, replay protection, tenant/session binding and atomic concurrent approval/denial handling.

FCM data is not end-to-end encrypted by default. Send only a signed opaque challenge and minimal display data, or encrypt the payload to the enrolled device. Never put a reusable Authorization header or approval secret in a notification.

No Play Store is required

For devices without Google services, use UnifiedPush or authenticated polling. The phone still needs to reach Autharky's public HTTPS issuer.

Recommendation

  1. Integrate Duo Universal Prompt first. It matches the requested notification behavior and validates Autharky's factor selection, callback, AMR, enrollment and recovery model without mobile work.
  2. If SaaS is unacceptable, use ntfy only as a labeled UX spike. Do not present its bearer-action model as equivalent to a signed device approval.
  3. Then build the focused Autharky Android client if self-control is worth the maintenance. Keep TOTP and passkeys as recovery alternatives and include number matching even when approval stays one-tap.

Primary references